Life after death – still stuck with Windows 7 and Server 2008?
As the literary saying goes ‘The best-laid plans of mice and men often go awry’. Many of us have found this to be true when migrating away from Windows Server 2008 (R2) and Windows 7.
Whether due to budgetary or resource constraints or application incompatibilities, the effect is the same. We’re now faced with the prospect of retaining a legacy, out of support, insecure component right at the heart of our organisations, whether that’s in our datacentres or on our endpoints.
Microsoft has already released the first extended security updates for Windows 7 and Server 2008 R2 and already bad actors are working hard to reverse engineer those updates and create exploits. It may not be this month or the next, but it’s inevitable that working exploit code will soon surface, and not just for these vulnerabilities for any vulnerability discovered in the future.
Faced this with prospect, how do we secure our organisations?
The best route with the most value is still to continue with migration.
At Cetus we have a proven migration methodology and a range of technologies to assist you with your migration. We can help you overcome the challenges preventing migration. Not only does this relieve the headache of worrying about security, you’ll also be able to take advantage of new features offered by modern operating systems. We can help you get the most out of these features to reduce costs, improve productivity and justify the cost of migration.
Extended Security Updates
If you’re not able to migrate, consider extending your support to continue to receive security updates.
Microsoft offers up to three years Extended Security Updates (ESU) for both Windows 7 and Windows Server 2008 (R2).
Organisations can purchase ESU at any time during the next three years. If an organization waits and purchases ESU for the first time in year two or year three, they will also have to pay for the preceding years. Additionally, ESU for Server 2008 R2 requires Software Assurance (SA).
Alternatively, migrate these workloads to Azure and receive free ESU for up to three years. Cetus can assist with a proven migration methodology and advanced migration tools. A migration to azure can be a surprisingly low risk and easy option.
If neither migration nor extending security updates are viable, then we must consider how we can improve the security posture to compensate for retaining vulnerable operating systems.
AV and VLAN based firewalling provide incomplete protection. To improve posture, we must supplement these with extended controls. These controls act beyond just threat detection and response and are implemented outside of the operating system to separate the attack surface from the protection.
In–fact these measures shouldn’t just apply to legacy out of support operating systems but should be implemented for all your cloud or datacentre workloads. Some of the core compensatory control are described below.
A Distributed firewall provides protection not just between VLANs but between machines in the same VLAN and extends a consistent firewall beyond the datacentre into the cloud. This micro-segmentation helps to contain threats and prevents the lateral spread should a machine be compromised. Even where communication is permitted, Layer 7 inspection ensures the communication is legitimate and detects known exploit attempts, blocking traffic to prevent compromise in the first place.
Workload Behaviour Monitoring
Hypervisor behaviour enforcement can learn a Virtual Machines good behaviour and detect and respond to abnormal behaviour. Breaking the cycle of the cat and mouse game of chasing bad behaviour and instead focusing on permitting only what we know to be good.
Application and Desktop Virtualisation
Application Virtualisation allows us to separate insecure Windows 7 apps from secure Windows 10 endpoints. By bringing the Windows 7 apps into our datacentres we can extend datacentre controls to Desktop Operating Systems.
Desktop virtualisation goes further, allowing us to bring not only the app’s but also the endpoint OS into the datacentre. Replacing the Endpoint Operating system with a thin-client OS reduces the attack surface significantly.
Alternatively, Application Containerisation allows is to package legacy Windows 7 Apps in a secure container and run as an application on a Windows 10 endpoint. The secure container adds additional security and provides a layer of abstraction to prevent malicious behaviour affecting the endpoint.
Remember, these compensatory controls are not just great for mitigating the vulnerabilities in legacy operating systems, but they also greatly improve the security posture for modern Operating Systems too. To find out more information about how they work or to get help with migrations or ESU talk to Cetus.
Credit: Sam Mulhearn – Solutions Architect, Cetus Solutions